Key diversification in a tracking device environment

ABSTRACT

A tracking device can use a permanent encryption key pair to encrypt a temporary private key that corresponds to a set of diversified temporary public keys. When a community mobile device subsequently detects the tracking device, the central tracking system provides a diversified temporary public key to the community mobile device. The community mobile device uses the diversified temporary public key to encrypt location data representative of a location of the community mobile device, and provides the encrypted location data to the central tracking system. When a user subsequently requests a location of the tracking device from the central tracking system, the central tracking system provides the encrypted temporary private key and the encrypted location data to a device of the user, and the device can decrypt the encrypted temporary private key using the permanent encryption key pair, and decrypt the encrypted location data using the decrypted temporary private key.

RELATED APPLICATIONS

This application claims priority to and the benefit of U.S. Provisional Application No. 62/923,552, filed Oct. 20, 2019, the contents of which are hereby incorporated in their entirety. This application is also related to U.S. application Ser. No. 16/546,122, filed Aug. 20, 2019, the contents of which are hereby incorporated in their entirety.

BACKGROUND

This disclosure relates generally to locating a tracking device, and more specifically, to securely providing location and identity information for a tracking device to a centralized system.

Electronic tracking devices have created numerous ways for people to track the locations of people and/or objects. For example, a user can use GPS technology to track a device remotely or determine a location of the user. In another example, a user can attach a tracking device to an important object, such as keys or a wallet, and use the features of the tracking device to more quickly locate the object, (e.g., if it becomes lost).

However, traditional tracking devices and corresponding systems suffer from one or more disadvantages. For example, locating a tracking device from a far-away distance requires a considerable amount of power. Thus, battery life of a tracking device is often limited. Further, technology for long-range tracking is expensive, and often requires sophisticated circuitry for operating in connection with an associated electronic device (e.g., a mobile device). Additionally, low-power options for tracking devices are limited to tracking nearby objects that require a user to be within a close proximity of the tracking devices, limiting the usefulness of such tracking devices.

SUMMARY

A tracking device can be associated with a permanent encryption key pair, a temporary private key and a set of diversified temporary public keys generated based in part on the temporary private key. Data encrypted by any of the set of diversified temporary public keys can be decrypted using the temporary private key. The set of diversified temporary public keys can be provided to a central tracking system or to a key server. In some embodiments, the temporary private key is encrypted using the permanent public key and is also provided to the central tracking system.

When a community mobile device detects the tracking device, for instance by receiving an advertising packet including a hashed identifier for the tracking device, the community mobile device provides the hashed identifier to the central tracking system or a key server. The central tracking system or key server identifies a diversified temporary public key from the set of diversified temporary public keys based on the hashed identifier, and provides the identified diversified temporary public key to the community mobile device.

The community mobile device determines a location of the community mobile device, for instance by activating a GPS receiver of the community mobile device in response to receiving the hashed identifier. The community mobile device then encrypts location data representative of the location using the diversified temporary public key received from the central tracking system. The community mobile device then provides the hashed identifier and the encrypted location data to the central tracking system for storage.

When a user, such as an owner of the tracking device, subsequently requests a location of the tracking device from the central tracking system, the central tracking system provides the hashed identifier, the encrypted location data, and (if the central tracking system is storing the encrypted temporary private key) the encrypted temporary private key to an owner device associated with the owner. The owner device, which has access to the permanent private key, can decrypt the encrypted temporary private key using the permanent private key. The owner device then decrypts the encrypted location data using the temporary private key, and performs one or more operations using the decrypted location data (such as displaying the location of the tracking device within a map interface displayed by the owner device).

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an exemplary implementation for locating a tracking device according to principles described herein.

FIG. 2 illustrates an exemplary tracking system of the implementation of FIG. 1.

FIG. 3 illustrates an exemplary user mobile device of the implementation of FIG. 1.

FIG. 4 illustrates an exemplary community mobile device of the implementation of FIG. 1.

FIG. 5 illustrates a process of identifying a tracking device and an associated location, according to one embodiment.

FIG. 6 illustrates a process of determining device location in response to movement detection, according to one embodiment.

FIG. 7 illustrates a process of selecting between current or previous device location information, according to one embodiment.

FIG. 8 is an interaction diagram illustrating a process for implementing end-to-end encryption in a tracking device environment, according to one embodiment.

FIG. 9 illustrates a process for implementing end-to-end encryption in a tracking device environment, according to one embodiment.

FIG. 10 is an interaction diagram illustrating a process for implementing end-to-end encryption in a tracking device environment using key diversification, according to one embodiment.

FIG. 11 illustrates a process for implementing end-to-end encryption in a tracking device environment using key diversification, according to one embodiment.

The figures depict various embodiments of the present invention for purposes of illustration only. One skilled in the art will readily recognize from the following discussion that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles of the invention described herein.

DETAILED DESCRIPTION

Embodiments described herein provide a user with the ability to locate one or more low-power tracking devices by leveraging the capabilities of a plurality of mobile devices associated with a community of users (e.g., users of the same tracking device system) in a secure and privacy-focused environment.

A user can attach a tracking device to or enclose the tracking device within an object, such as a wallet, keys, a car, a bike, a pet, or any other object that the user wants to track. The user can then use a mobile device (e.g., by way of a software application installed on the mobile device) to track the tracking device and corresponding object. For example, the mobile device can perform a local search for a tracking device attached to a near-by object. However, in situations where the user is unable to locate the tracking device using their own mobile device (e.g., if the tracking device is beyond a distance within which the mobile device and the tracking device can communicate), the principles described herein allow the user to leverage the capabilities of a community of users of a tracking device system.

In particular, a tracking system (also referred to herein as a “cloud server” or simply “server”) can maintain user profiles associated with a plurality of users of the system. The tracking system can associate each user within the system with one or more tracking devices associated the user (e.g., tracking devices that the user has purchased and is using to track objects owned by the user). If the user's object becomes lost or stolen, the user can send an indication that the tracking device is lost to the tracking system, which is in communication with one or more mobile devices associated with the community of users in communication with the system. The tracking system can set a flag indicating the tracking device is lost. When one of a community of mobile devices that are scanning for nearby tracking devices and providing updated locations to the tracking system identifies a flagged tracking device, the tracking system can associate the received location with the flagged tracking device, and relay the location to a user of the tracking device, thereby enabling the user to locate and track down the tracking device.

In addition to utilizing a general community of users, a user of the tracking system may desire to utilize the tracking capabilities of a specific group of one or more known users (e.g., friends or family of the user). For example, a user may indicate one or more friends or other users with which a tracking device may be shared. Sharing the tracking device may provide the ability for a friend to quickly determine if a tracking device is close-by without also querying a larger community of users, or to enable a friend to contact a user directly with information about the location of a lost tracking device.

Environment Overview

FIG. 1 illustrates an exemplary implementation in which a tracking system 100 is communicatively coupled to a mobile device 102 associated with the user 103 and a plurality of community mobile devices 104 a through 104 n (collectively referred to herein as “community mobile devices 104”) associated with a plurality of users 105 a through 105 n of the tracking system 100 (collectively referred to herein as “community users 105”). As will be explained in more detail below, the tracking system 100 can allow the user 103 to manage and/or locate a tracking device 106 associated with the user 103. In some embodiments, the tracking system 100 leverages the capabilities of community mobile devices 104 to locate the tracking device 106 if the location of the tracking device is unknown to the user 103 and beyond the capabilities of mobile device 102 to track. In some configurations, the user 103 may own and register multiple tracking devices 106. Although FIG. 1 illustrates a particular arrangement of the tracking system 100, mobile device 102, community mobile devices 104, and tracking device 106, various additional arrangements are possible.

In some configurations, the user 103 may be part of the community of users 105. Further, one or more users 105 may own and register one or more tracking devices 106. Thus, any one of the users within the community of users 105 can communicate with tracking system 100 and leverage the capabilities of the community of users 105 in addition to the user 103 to locate a tracking device 106 that has been lost.

The tracking system 100, mobile device 102, and plurality of community mobile devices 104 may communicate using any communication platforms and technologies suitable for transporting data and/or communication signals, including known communication technologies, devices, media, and protocols supportive of remote data communications.

In certain embodiments, the tracking system 100, mobile device 102, and community mobile devices 104 may communicate via a network 108, which may include one or more networks, including, but not limited to, wireless networks (e.g., wireless communication networks), mobile telephone networks (e.g., cellular telephone networks), closed communication networks, open communication networks, satellite networks, navigation networks, broadband networks, narrowband networks, the Internet, local area networks, and any other networks capable of carrying data and/or communications signals between the tracking system 100, mobile device 102, and community mobile devices 104. The mobile device 102 and community of mobile devices 104 may also be in communication with a tracking device 106 via a second network 110. The second network 110 may be a similar or different type of network as the first network 108. In some embodiments, the second network 110 comprises a wireless network with a limited communication range, such as a Bluetooth or Bluetooth Low Energy (BLE) wireless network. In some configurations, the second network 110 is a point-to-point network including the tracking device 106 and one or more mobile devices that fall within a proximity of the tracking device 106. Accordingly, the mobile device 102 and community mobile devices 104 are only able to communicate with the tracking device 106 if they are within a close proximity to the tracking device. In some configurations, the mobile device 102 and one or more community mobile devices 104 may each be associated with multiple tracking devices associated with various users.

As mentioned above, FIG. 1 illustrates the mobile device 102 associated with the user 103. The mobile device 102 can be configured to perform one or more functions described herein with respect to locating tracking devices (e.g., tracking device 106). For example, the mobile device 102 can receive input from the user 103 representative of information about the user 103 and information about a tracking device 106. The mobile device 102 may then provide the received user information, tracking device information, and/or information about the mobile device 102 to the tracking system 100. Accordingly, the tracking system 100 is able to associate the mobile device 102, the user 103, and/or the tracking device 106 with one another. In some embodiments, the mobile device 102 can communicate with the tracking device 106 and provide information regarding the location of the tracking device to the user 103. For example, the mobile device 102 can detect a communication signal from the tracking device 106 (e.g., by way of second network 110) as well as a strength of the communication signal to determine an approximate distance between the mobile device 102 and the tracking device 106. The mobile device 102 can then provide this information to the user 103 (e.g., by way of one or more graphical user interfaces) to assist the user 103 to locate the tracking device 106. Accordingly, the user 103 can use the mobile device 102 to track and locate the tracking device 106 and a corresponding object associated with the tracking device 106. If the mobile device 102 is located beyond the immediate range of communication with the tracking device 106 (e.g., beyond the second network 110), the mobile device 102 can be configured to send an indication that a tracking device 106 is lost to the tracking system 100, requesting assistance in finding the tracking device. The mobile device 102 can send an indication of a lost device in response to a command from the user 103. For example, once the user 103 has determined that the tracking device 106 is lost, the user can provide user input to the mobile device 102 (e.g., by way of a graphical user interface), requesting that the mobile device 102 send an indication that the tracking device 106 is lost to the tracking system 100. In some examples, the lost indication can include information identifying the user 103 (e.g., name, username, authentication information), information associated with the mobile device 102 (e.g., a mobile phone number), information associated with the tracking device (e.g., a unique tracking device identifier), or a location of the user (e.g., a GPS location of the mobile device 102 at the time the request is sent).

The tracking system 100 can be configured to provide a number of features and services associated with the tracking and management of a plurality of tracking devices and/or users associated with the tracking devices. For example, the tracking system 100 can manage information and/or user profiles associated with user 103 and community users 105. In particular, the tracking system 100 can manage information associated with the tracking device 106 and/or other tracking devices associated with the user 103 and/or the community users 105.

As mentioned above, the tracking system 100 can receive an indication that the tracking device 106 is lost from the mobile device 102. The tracking system 100 can then process the indication in order to help the user 103 find the tracking device 106. For example, the tracking system 100 can leverage the capabilities of the community mobile devices 104 to help find the tracking device 106. In particular, the tracking system 100 may set a flag for a tracking device 106 to indicate that the tracking device 106 lost and monitor communications received from the community mobile devices 104 indicating the location of one or more tracking devices 106 within proximity of the community mobile devices 104. The tracking system 100 can determine whether a specific location is associated with the lost tracking device 106 and provide any location updates associated with the tracking device 106 to the mobile device 102. In one example, the tracking system may receive constant updates of tracking device 106 locations regardless of whether a tracking device 106 is lost and provide a most recent updated location of the tracking device 106 in response to receiving an indication that the tracking device 106 is lost.

In some configurations, the tracking system 100 can send a location request associated with the tracking device 106 to each of the community mobile devices 104. The location request can include any instructions and/or information necessary for the community mobile devices 106 to find the tracking device 102. For example, the location request can include a unique identifier associated with the tracking device 106 that can be used by the community mobile devices 104 to identify the tracking device 106. Accordingly, if one of the community mobile devices 104 detects a communication from the tracking device 106 (e.g., if the community mobile device 104 is within range or moves within range of the communication capabilities of the tracking device 106 and receives a signal from the tracking device 106 including or associated with the unique identifier associated with the tracking device 106), the community mobile device 104 can inform the tracking system 100. Using the information received from the community mobile devices 104, the tracking system 100 can inform the user (e.g., by way of the mobile device 102) of a potential location of the tracking device 106.

As shown in FIG. 1 and as mentioned above, the tracking system 100 can communicate with a plurality of community mobile devices 104 associated with corresponding community users 116. For example, an implementation may include a first community mobile device 112 a associated with a first community user 116 a, a second community mobile device 112 b associated with a second community user 116 b, and additional communication mobile devices associated with additional community users up to an nth community mobile device 112 n associated with an nth community user 116 n. The community mobile devices 112 may also include functionality that enables each community mobile device 112 to identify a tracking device 106 within a proximity of the community mobile device 112. In one example, a first community mobile device 112 a within proximity of a tracking device 106 can communicate with the tracking device 106, identify the tracking device 106 (e.g., using a unique identifier associated with the tracking device 106), and/or detect a location associated with the tracking device 106 (e.g., a location of the first mobile community device 104 a at the time of the communication with the tracking device 106). This information can be used to provide updated locations and/or respond to a location request from the tracking system 100 regarding the tracking device 106. In some embodiments, the steps performed by the first community mobile device 104 a can be hidden from the first community user 105 a. Accordingly, the first community mobile device 104 a can assist in locating the tracking device 106 without bother and without the knowledge of the first community user 105 a.

As mentioned above, the tracking system 100 can assist a user 103 in locating a tracking device 106. The tracking device may be a chip, tile, tag, or other device for housing circuitry and that may be attached to or enclosed within an object such as a wallet, keys, purse, car, or other object that the user 103 may track. Additionally, the tracking device 106 may include a speaker for emitting a sound and/or a transmitter for broadcasting a beacon. In one configuration, the tracking device 106 may constantly transmit a beacon signal that may be detected using a nearby mobile device 102 and/or community mobile device 104. In some configurations, the tracking device 106 broadcasts a beacon at regular intervals (e.g., one second intervals) that may be detected from a nearby mobile device (e.g., community mobile device 104). The strength of the signal emitted from the tracking device 106 may be used to determine a degree of proximity to the mobile device 102 or community mobile device 104 that detects the signal. For example, a higher strength signal would indicate a close proximity between the tracking device 106 and the mobile device 102 and a lower strength signal would indicate a more remote proximity between the tracking device 106 and the mobile device 102. In some cases, the strength of signal or absence of a signal may be used to indicate that a tracking device 106 is lost.

System Overview

FIG. 2 illustrates a diagram showing example components of the tracking system 100. As shown, the tracking system 100 may include, but is not limited to, an association manager 204, a tracking device location manager 206, and a data manager 208, each of which may be in communication with one another using any suitable communication technologies. It will be recognized that although managers 204-208 are shown to be separate in FIG. 2, any of the managers 204-208 may be combined into fewer managers, such as into a single manager, or divided into more managers as may serve a particular embodiment.

The association manager 204 may be configured to receive, transmit, obtain, and/or update information about a user 103 and/or information about one or more specific tracking devices (e.g., tracking device 106). In some configurations, the association manager 204 may associate information associated with a user 103 with information associated with a tracking device 106. For example, user information and tracking information may be obtained by way of a mobile device 102, and the association manager 204 may be used to link the user information and tracking information. The association between user 103 and tracking device 106 may be used for authentication purposes, or for storing user information, tracking device information, permissions, or other information about a user 103 and/or tracking device 106 in a database.

The tracking system 100 also includes a tracking device location manager 206. The tracking device location manager 206 may receive and process an indication that the tracking device 106 is lost from a mobile device (e.g., mobile device 102 or community mobile devices 104). For example, the tracking system 100 may receive a lost indication from a mobile device 102 indicating that the tracking device 106 is lost. The tracking device location manager 206 may set a flag on a database (e.g., tracker database 212) indicating that the tracking device 106 is lost. The tracking device location manager 206 may also query a database to determine tracking information corresponding to the associated user 103 and/or tracking device 106. The tracking system 100 may obtain tracking device information and provide the tracking device information or other information associated with the tracking device 106 to a plurality of community mobile devices 104 to be on alert for the lost or unavailable tracking device 106. The tracking device location manager 206 may also be used to receive and process a response to a tracking request that is received from one or more community mobile devices 104 that detect the tracking device 106 and respond to the tracking request. For example, the tracking system 100 may receive a response to the tracking request indicating a location within a proximity of the tracking device 106 and provide a last known location within a proximity of the tracking device 106 as provided by the community mobile device 104.

In one configuration, the tracking device location manager 206 may receive an indication that a tracking device 106 is lost from the mobile device 102 and store the lost indication on a database. When the tracking device location manager 206 receives an indication that the tracking device 106 is lost, the tracking device location manager 206 may set a flag indicating that the tracking device 106 is lost. Setting a flag for a tracking device 106 may include storing and/or associating a value associated with the tracking device that indicates that the tracking device 106 is lost. This may include setting a flag, marker, digital value, or other indication that the tracking device 106 is lost and maintaining or storing the indication of the lost tracking device 106 on the tracking system 100 (e.g., on a database).

The tracking device location manager 206 may further receive updated locations from the community of mobile devices 104 that are constantly scanning for nearby tracking devices 106. In this example, the tracking device location manager 206 may receive location updates from the community of mobile devices 104 and, based on the tracking device 106 being indicated as lost, provide a response to a lost indication to the mobile device 102. The response to the lost indication may be a text message, push notification, ring tone, automated voice message, or other response for informing a user 103 that a tracking device 106 has been found and/or an updated location of the tracking device 106.

The tracking device location manager 206 may further manage providing indications about whether a tracking device 106 is lost or not lost. For example, as discussed above, the tracking device location manager 206 may provide a location request to the community of mobile devices 104 indicating that a tracking device 106 is lost. Additionally, upon location of the tracking device 106 by the user 103 or by one of the community of users 105, the tracking device location manager 206 may provide an indication to the user 103, community user 105, or tracking system 100 that the tracking device 106 has been found, thus removing any flags associated with a tracking device and/or canceling any location request previously provided to the community of users 105. For example, where a user 103 sends an indication that the tracking device 106 is lost to the tracking system 100 and later finds the tracking device 106, the mobile device 102 may provide an indication to the tracking system 100 that the tracking device 106 has been found. In response, the tracking device location manager 206 may remove a flag indicating that the tracking device 106 is lost and/or provide an updated indication to the community of users 105 that the tracking device 106 has been found, thus canceling any instructions associated with the previously provided location request. In some configurations, the notification that the tracking device 106 has been found may be provided automatically upon the mobile device 102 detecting a proximity of the tracking device 106. Alternatively, the notification that the tracking device 106 has been found may be provided by the user 103 via user input on the mobile device 102. In another example, a known user (e.g., a friend or family member) with whom the tracking device 106 has been shared may provide an indication that the tracking device 106 has been found.

The tracking system 100 additionally includes a data manager 208. The data manager 208 may store and manage information associated with users, mobile devices, tracking devices, permissions, location requests, and other data that may be stored and/or maintained in a database related to performing location services of tracking devices. As shown, the data manager 208 may include, but is not limited to, a user database 210, a tracker database 212, permissions data 214, and location request data 216. It will be recognized that although databases and data within the data manager 208 are shown to be separate in FIG. 2, any of the user database 210, tracker database 212, permissions data 214, and location request data 216 may be combined in a single database or manager, or divided into more databases or managers as may serve a particular embodiment.

The data manager 208 may include the user database 210. The user database 210 may be used to store data related to various users. For example, the user database 210 may include data about the user 103 as well as data about each user 105 in a community of users 105. The community of users 105 may include any user that has provided user information to the tracking system 100 via a mobile device 102, 104 or other electronic device. The user information may be associated with one or more respective tracking devices 106, or may be stored without an association to a particular tracking device. For example, a community user 105 may provide user information and permit performance of tracking functions on the community mobile device 104 without owning or being associated with a tracking device 106. The user database 210 may also include information about one or more mobile devices or other electronic devices associated with a particular user.

The data manager 208 may also include a tracker database 212. The tracker database 212 may be used to store data related to tracking devices. For example, the tracker database 212 may include tracking data for any tracking device 106 that has been registered with the tracking system 100. Tracking data may include unique tracker identifications (IDs) associated with individual tracking devices 106. Tracker IDs may be associated with a respective user 103. Tracker IDs may also be associated with multiple users. Additionally, the tracker database 212 may include any flags or other indications associated with whether a specific tracking device 106 has been indicated as lost and whether any incoming communications with regard to that tracking device 106 should be processed based on the presence of a flag associated with the tracking device 106.

The data manager 208 may further include permissions data 214 and location request data 216. Permissions data 214 may include levels of permissions associated with a particular user 103 and/or tracking device 106. For example, permissions data 214 may include additional users that have been indicated as sharing a tracking device 106, or who have been given permission to locate a tracking device 106 using an account and/or mobile device 102 associated with the user 103. Location request data 216 may include information related to a location request or a lost indication received from the user 103 via a mobile device 102.

FIG. 3 illustrates a diagram showing example components of the mobile device 102. As shown, the mobile device 102 may include, but is not limited to, a user interface manager 302, a location request manager 304, a database manager 306, and a tracking manager 308, each of which may be in communication with one another using any suitable communication technologies. It will be recognized that although managers 302-308 are shown to be separate in FIG. 3, any of the managers 302-308 may be combined into fewer managers, such as into a single manager, or divided into more managers as may serve a particular embodiment.

As will be explained in more detail below, the mobile device 102 includes the user interface manager 302. The user interface manager 302 may facilitate providing the user 103 access to data on a tracking system 100 and/or providing data to the tracking system 100. Further, the user interface manager 302 provides a user interface by which the user 103 may communicate with tracking system 100 and/or tracking device 106 via mobile device 102.

The mobile device 102 may also include a location request manager 304. The location request manager 304 may receive and process a request input to the mobile device 102 to send an indication that a tracking device 106 is lost to a tracking system 100. For example, the user 103 may provide an indication that a tracking device 106 is lost, unreachable, or otherwise unavailable from the mobile device 102 via the user interface manager 302, and the location request manager 304 may process the lost indication and provide any necessary data to the tracking system 100 for processing and relaying a location request to other users 105 over a network 108. In some configurations, an indication that a tracking device 106 is lost is provided via user input. Alternatively, the indication may be transmitted automatically in response to the mobile device 102 determining that a tracking device 106 is lost.

The mobile device 102 may also include a database manager 306. The database manager 306 may maintain data related to the user 103, tracking device 106, permissions, or other data that may be used for locating a tracking device 106 and/or providing a request to a tracking system 100 for locating one or more tracking devices 106 associated with the user 103. Further, the database manager 306 may maintain any information that may be accessed using any other manager on the mobile device 102.

The mobile device 102 may further include a tracking manager 308. The tracking manager 308 may include a tracking application (e.g., a software application) for communicating with and locating a tracking device 106 associated with the user 103. For example, the tracking manager 308 may be one configuration of a tracking application installed on the mobile device 102 that provides the functionality for locating a tracking device 106 and/or requesting location of a tracking device 106 using a plurality of community mobile devices 104. As shown, the tracking manager 308 may include, but is not limited to, a Bluetooth Low Energy (BLE) manager 310, a persistence manager 312, a local files manager 314, a motion manager 316, a secure storage manager 318, a settings manager 320, a location manager 322, a network manager 324, a notification manager 326, a sound manager 328, a friends manager 330, a photo manager 332, an authentication manager 334, and a device manager 336. Thus, the tracking manager 308 may perform any of the functions associated with managers 310-338, described in additional detail below.

The BLE manager 310 may be used to manage communication with one or more tracking devices 106. The persistence manager 312 may be used to store logical schema information that is relevant to the tracking manager 308. The local files manager 314 may be responsible for managing all files that are input or output from the mobile device 102. The motion manager 316 may be responsible for all motion management required by the tracking manager 308. The secure storage manager may be responsible for storage of secure data, including information such as passwords and private data that would be accessed through this sub-system. The settings manager 320 may be responsible for managing settings used by the tracking manager 308. Such settings may be user controlled (e.g., user settings) or defined by the tracking manager 308 for internal use (e.g., application settings) by a mobile device 102 and/or the tracking system 100. The location manager 322 may be responsible for all location tracking done by the tracking manager 308. For example, the location manager 322 may manage access to the location services of the mobile device 102 and works in conjunction with other managers to persist data. The network manager 324 may be responsible for all Internet communications from the tracking manager 308. For example, the network manager 324 may mediate all Internet API calls for the tracking manager 308. The notification manager 326 may be responsible for managing local and push notifications required by the tracking manager 308. The sound manager 328 may be responsible for playback of audio cues by the tracking manager 308. The friends manager 330 may be responsible for managing access to contacts and the user's social graph. The photo manager 332 may be responsible for capturing and managing photos used by the tracking manager 308. The authentication manager 334 may be responsible for handling the authentication (e.g., sign in or login) of users. The authentication manager 334 may also include registration (e.g., sign up) functionality. The authentication manager 334 further coordinates with other managers to achieve registration functionality. The device manager 336 may be responsible for managing the devices discovered by the tracking manager 308. The device manager 336 may further store and/or maintain the logic for algorithms related to device discovery and update.

FIG. 4 illustrates a diagram showing example components of a community mobile device 104. As shown, the community mobile device 104 may include, but is not limited to, a user interface manager 402, a lost tracking device manager 404, a database manager 406, and a tracking manager 408, each of which may be in communication with one another using any suitable communication technologies. The user interface manager 402, database manager 406, and tracking manager 408 illustrated in FIG. 4 may include similar features and functionality as the user interface manager 302, database manager 306, and tracking manager 308 described above in connection with FIG. 3. It will be recognized that although managers 402-408 are shown to be separate in FIG. 4, any of the managers 402-408 may be combined into fewer managers, such as into a single manager, or divided into more managers as may serve a particular embodiment.

The community mobile device 104 may include a lost tracking device manager 404. The lost tracking device manager 404 may facilitate scanning for nearby tracking devices 106. In some configurations, the lost tracking device manager 404 can continuously or periodically scan (e.g., once per second) for nearby tracking devices 106. The lost tracking device manager 404 may determine whether to provide an updated location of the nearby tracking device 106 to the tracking system 100. In some configurations, the lost tracking device manager 404 provides a location of a nearby tracking device 106 automatically. Alternatively, the lost tracking device manager 404 may determine whether the location of the tracking device 106 has been recently updated, and determine whether to provide an updated location based on the last time a location of the tracking device 106 has been updated (e.g., by the community mobile device 104). For example, where the community mobile device 104 has provided a recent update of the location of a tracking device 106, the lost tracking device manager 404 may decide to wait a predetermined period of time (e.g., 5 minutes) before providing an updated location of the same tracking device 106.

In one configuration, the lost tracking device manager 404 may receive and process a location request or other information relayed to the community mobile device 104 by the tracking system 100. For example, the lost tracking device manager 404 may receive an indication of a tracking device 106 that has been indicated as lost, and provide a location of the tracking device 106 if it comes within proximity of the community mobile device 104. In some configurations, the community mobile device 104 is constantly scanning nearby areas to determine if there is a tracking device 106 within a proximity of the community mobile device 104. Therefore, where a tracking device 106 that matches information provided by the tracking system 100 (e.g., from the location request) comes within proximity of the community mobile device 104, the lost tracking device manager 404 may generate and transmit a response to the location request to the tracking system 100, which may be provided to the user 103 associated with the lost tracking device 106. Further, generating and transmitting the response to the tracking request may be conditioned on the status of the tracking device 106 being flagged as lost by the mobile device 102 and/or the tracking system 100.

The lost tracking device manager 404 may additionally provide other information to the tracking system 100 in response to receiving the tracking request. For example, in addition to providing a location of the community mobile device 104, the lost tracking device manager may provide a signal strength associated with the location to indicate a level of proximity to the location of the community mobile device 104 provided to the user 103. For example, if a signal strength is high, the location provided to the user 103 is likely to be more accurate than a location accompanied by a low signal strength. This may provide additional information that the user 103 may find useful in determining the precise location of tracking device 106.

As described above, the lost tracking device manager 404 may determine whether to send a location within the proximity of the tracking device 106 to the tracking system 100. The determination of whether to send a location to the tracking system 100 may be based on a variety of factors. For example, a lost tracking device manager 404 may determine to send a location of the tracking device 106 to a tracking system 100 based on whether the detected tracking device 106 has been indicated as lost or if a tracking request has been provided to the community mobile device 104 for the particular tracking device 106. In some configurations, the community mobile device 104 may send an update of a location of a tracking device 106 even if the tracking device 106 is not associated with a current tracking request or if the tracking device 106 is not indicated as lost. For example, where the location of a tracking device 106 has not been updated for a predetermined period of time, the community mobile device 104 may provide an update of a tracking device location to the tracking system 100, regardless of whether a tracking request has been received.

In some configurations, the community mobile device 104 may include additional features. For example, the community mobile device 104 may allow a tracking system 100 to snap and download a photo using photo functionality of the community mobile device 104. In some configurations, this may be an opt-in feature by which a community user 105 permits a tracking system 100 to take a snap-shot and possibly provide a visual image of an area within a proximity of the tracking device 106.

Hash-Based Location Tracking

Often, identifying and tracking the location of wireless devices requires the establishment of a two-way communication session between the device being tracked (the “tracking device”) and another device (such as a mobile phone, computer, or any other suitable device, “mobile device” hereinafter). As described herein, a tracking device can instead be identified using one-way communications (communications from the tracking device to the mobile device), without requiring communications from the mobile device to the tracking device. Such communications are referred to as “advertisements” by the tracking device, and can be secured by the tracking device to prevent interception by unauthorized entities, for instance entities masquerading as an associated mobile device or entities eavesdropping on tracking device advertisements to collect information about the tracking device.

A tracking device (such as the tracking device 106 of FIG. 1) can be configured to generate a hash value identifying the tracking device. The hash value can be dependent on one or more parameters associated with the tracking device, including but not limited to one or more of the following: a key stored by the tracking device, the MAC address of the tracking device (random or assigned to the tracking device by a tracking server, such as the tracking system 100 of FIG. 1), a device identifier (such as a persistent identifier that uniquely identifies the tracking device), a time at which the hash value is generated, or any other suitable parameters. By generating a hash value based on a time at which the hash value is generated, the hash value can expire after a threshold amount of time elapses, or after the passage of a pre-defined time interval, as described below.

In some embodiments, the generated hash value is represented by the function:

-   -   hash_value=f(tracking_device_key, tracking_device_identifier,         time)

The tracking device can generate a hash value (or, in some embodiments, a keyed-hash value) using any suitable hashing function, such the SHA-X function, the MDX function, the RIPEMD function, the PANAMA function, the Tiger function, the WHIRLPOOL function, the Bernstein hash function, the Fowler-Noll-Vo hash function, the Jenkins hash function, the Pearson hash function, the Zobrist hash function, and the like. A keyed-hash message authentication code (HMAC) construction can be used for calculating the keyed-hash. Although hash functions are described herein, in other embodiments, the tracking device is configured to generate an encrypted or otherwise encoded value based on one or more device parameters using any suitable encryption or encoding function. The parameter “tracking_device_key” refers to a key stored by the tracking device, the parameter “tracking_device_identifier” refers to an identifier that uniquely identifies the tracking device, and the parameter “time” refers to the time interval or period during which the hash value is generated.

FIG. 5 illustrates a process 500 of identifying a tracking device and an associated location, according to one embodiment. A tracking device 502 generates 510 a hash value based on one or more tracking device parameters, such as an assigned tracking device key, a persistent tracking device unique identifier, and a time or time interval during which the hash value is generated. The tracking device 502 can generate a new hash value periodically, after the passage of a pre-determined interval of time, in response to detected movement of the tracking device, or in response to any other suitable stimulus.

The generated hash value 512 is advertised or broadcasted, for instance using the Bluetooth protocol, and is received by the mobile device 504. In some embodiments, the tracking device 502 advertises the hash value periodically, a threshold number of times per generated hash value, in response to generating the hash value, or based on any other suitable criteria. It should be noted that the generated hash 512 can advertised independent of or without communications from the mobile device 504.

The mobile device 504 receives the hash value and determines 514 whether the hash value can be resolved locally. To resolve a hash value locally, the mobile device 504 accesses a set of stored parameters for each tracking device associated with or “owned by” the mobile device 504 (such as a tracking device key and/or tracking device identifier assigned to the mobile device by a tracking server 506), and generates a hash value for each owned tracking device using the same hash function and tracking device parameters as the tracking device 502. If the received hash value matches any hash value generated by the mobile device 504, the mobile device 504 identifies the tracking device 502 as the tracking device associated with the matched hash value, identifies the location of the tracking device 502, and provides the tracking device identity and location 518 to the tracking server 506. The tracking server 506 stores 520 the received tracking device identity in association with the received tracking device location.

If none of the hash values generated by the mobile device 504 match the received hash value, or if the mobile device 504 does not have access to device parameters for tracking devices owned by the mobile device 504, the mobile device 504 identifies 522 the location of the tracking device 502, and forwards the received hash value and the identified location 524 to the tracking server 506. The tracking server 506 resolves 526 the hash value by generating a hash value for each tracking device tracked by or associated with the tracking server 506 using associated device parameters maintained by the tracking server 506. The tracking server 506 identifies 528 the tracking device 502 by matching the received hash value to a hash value generated by the tracking server 506. Upon identifying the tracking device 502, the tracking server 506 stores 530 the received location in association with the identity of the tracking device 502.

The tracking server 506 can be configured to pre-generate hash values for each tracking device associated with the tracking server 506, and to store the pre-generated hash values in, for example, a hash table. For instance, for hash values generated using, as one tracking device parameter, the hour interval (such as 10:00 am-11:00 am PDT) during which the hash value is generated, the tracking server 506 can generate hash values for each tracking device associated with the tracking server 506 every hour. If a hash value generated in a previous hour interval is received at the tracking server 506, the tracking server 506 may not be able to resolve the hash value using hash values generated during a current hour interval. In such instances, the received hash value has “expired”, and the tracking server 506 ignores the expired hash value, waits for a subsequent/non-expired hash value from the tracking device 502 (via the mobile device 504), and resolves the subsequent hash value. It should be noted that although examples are given with regards to hour intervals, hash values can be generated an expire with regards to any time interval, such as the 5-minute interval, the 15-minute interval, the 6-hour interval, the 24-hour interval, and the like.

In order to synchronize maintained times between the tracking device 502, the mobile device 504, and the tracking server 506, the tracking device 502 can authenticate the mobile device 504 and/or tracking server 506, and can synchronize a timing tracker at the tracking device 502 in response to the authentication. Alternatively, the tracking device 502 can synchronize a timing tracker at the tracking device 502 using an external entity, in response to the manual synchronization of the timing tracker by a user, or using any other suitable synchronization means. In some embodiments, the mobile device 504 can determine that a tracking device 502 is out of synch by resolving an expired hash value received from the tracking device and determining that the resolved hash value has expired. In response to determining that the tracking device 502 is out of synch, the mobile device 504 can trigger a re-synchronization by connecting to the tracking device and updating the tracking device's timing information. In some embodiments, re-synchronization occurs during a grace period, for instance a threshold period of time after new hash values associated with a time interval are generated.

The hash function used by the tracking device 502 can produce hash values of any suitable size or length. In some embodiments, the length of the hash value or the type of hash function is selected based on available power, time, or any other characteristic of the tracking device 502 or tracking server 506. In some embodiments, the length of the hash value is selected based on a pre-determined acceptable collision rate. Collisions occur when the tracking server 506 generates the same hash value for two or more tracking devices during a particular time interval. Collisions can be resolved by comparing a previous known/stored location for each tracking device associated with the collision and the received location associated with the received hash value. For instance, if a previous known/stored location for a particular tracking device associated with a collision is within a threshold distance of a received location, the tracking device 502 can identify the particular tracking device from among the tracking devices associated with the collision as the tracking device associated with the received location. In some embodiments, the tracking server 506 can simply ignore received hash values associated with collisions until a new hash value generated during a subsequent time interval is received, and can resolve the new hash value accordingly.

It should be noted that in some embodiments, the hash values described herein are included within a communication packet that also includes other types of data. For instance, a packet can include a hash value and one or more of: information describing a broadcast power by the tracking device 502, a time of communication, an identity of the mobile device 504 associated with the tracking device, an identity of a user associated with the tracking device, a digital signature for use in verifying the identity of the tracking device or the authenticity of the communication packet, or any other suitable information.

In some embodiments, the “time” variable in the hash function described above is an incremented time interval value. For example, the value of the time variable for the first 15 minute interval of a calendar year is “00001”, the value of the time variable for the second 15 minute interval is “00002”, and so forth. In order to align the value of the time variable used in computing the hash value, the tracking device 502 can include the value of the time variable in plaintext in a header of an advertisement packet that includes the hash value. In such embodiments, a mobile device 504 or tracking server 506 can parse the value of the time variable included within the header, and can compute hash values for tracking devices associated with the mobile device or tracking server using the parsed value of the time variable for comparison with the hash value included within the advertisement packet.

For collisions, in addition to using the geographic location of the tracking device to resolve collisions between hash values, the geographic location of or associated with a user can be used. For example, if a first hash value is associated with a first tracking device and a second hash value is associated with a second tracking device, a collision between the first hash value and the second hash value can be resolved by determining that the location of the mobile device from which each hash value was received is within a threshold distance of a geographic location associated with an owner of the first tracking device, and by selecting the first tracking device as associated with the received hash value.

Likewise, collisions between hash values can be resolved by using account information associated with tracking device users. For instance, if a user is associated with a user account that is in turn associated with a mobile device, and a hash value associated with a collision was received from the mobile device, a tracking device associated with the mobile device can be selected as associated with the hash value. Further, a hash value collision can be resolved based on a most recent incremented “time” variable value associated with each tracking device associated with the hash value collision. For instance, if a first hash value is associated with a first tracking device from which a hash value generated using the time value “00034” was recently received, if a second hash value is associated with a second tracking device from which a hash value generated using the time value “29531” was recently received, and if the hash values associated with the hash value collision are generated using the time values “00035” and “14224”, the first tracking device can be selected as associated with the received hash value since “00034” is closer to “00035” than “29531” is to “00035” or “14224”. In other words, a tracking device can be selected based on how proximal or close an incremented time or counter value associated with a collision is to a time or counter value recently used by a tracking device associated with the collision, without requiring the transmission of the incremented value itself.

In some embodiments, the tracking server 506 attempts to resolve collisions first using user account information as described above. In the event that the collision cannot be resolved using account information, the tracking server attempts to resolve the collision using proximity of incremented time or counter values recently used by a tracking device in generating a hash value to time or counter values used to generate hash values associated with a collision. In the event that the collision still cannot be resolved, the tracking server can then attempt to resolve the collision using a proximity of a geographic location of a mobile device, tracking device, or user to a tracking device associated with a collision.

Replay attacks, or the use of a hash value intercepted by an unauthorized entity to attempt to authenticate a tracking device, can be avoided by tracking incremented time or counter values associated with a tracking device. For instance, when a hash value is received from a tracking device, the tracking server 506 can update a stored time/counter value associated with the tracking device. When a subsequent hash value is received that is associated with a lower or earlier time/counter value, the tracking server can disregard the hash value and can deny a request to authenticate the tracking device.

In embodiments where each time or counter value used to generate a first hash value is associated with a particular time interval (e.g., 15 minutes), the tracking server can deny a request to authenticate a tracking device from which a subsequent hash value is received based on the same time or counter value if the subsequent hash value is received outside of the time interval (for instance, continuing with the previous example, if the subsequent hash value is received 20 minutes after the first hash value is received). The tracking server can increment tracked time or counter values for a tracking device based on an amount of time that has lapsed since a hash value associated with a tracked time or counter value was received. Thus, if a hash value is received from a tracking device that is generated using a time or counter value outside of an expected range for the tracking device (e.g., a time or counter value occurring before a tracked time or counter value for the tracking device, or occurring more than a threshold distance beyond from a tracked time or counter value incremented by the tracking server), the tracking server can disregard the received hash value and/or deny a request to authenticate a corresponding tracking device.

Motion-Activated Location Determination

To determine the location of a tracking device, such as the tracking device 106 of FIG. 1, the tracking device emits a location-request beacon or advertisement signal (location request). In response to receiving the beacon or advertisement signal, a mobile device, such as the mobile device 104 of FIG. 1, uses location-determining functionality (such as a GPS receiver) to determine the location of the mobile device. Being in close proximity with the tracking device, the location of the mobile device is associated with the tracking device. However, the use of location-determining functionality by the mobile device is often very power-consuming, resulting in the draining of the mobile device's battery or other power source.

To offset the drain of power by the location-determining functionality of the mobile device, the tracking device can be configured to emit a location request only in response to the detection of movement by the tracking device. When the tracking device is not moving, the location of the tracking device doesn't change, and a previous determined location (determined in response to the detection of a previous movement) is sufficient to describe the location of the tracking device.

In other embodiments, the tracking device is configured to emit a location request either in response to the detection of movement by the tracking device, at a fixed interval, or in response to a request from a mobile device. In such embodiments, the tracking device can include a time stamp within the location request indicating a time associated with the last detected movement of the tracking device. In response to receiving a location request from the tracking device by a mobile device, the mobile device can determine based on the time associated with the last detected movement of the tracking device if the tracking device has moved since the last time a high-accuracy location was determined for the tracking device. For instance, if a tracking device is within a threshold distance from the mobile device when the mobile device receives a location request, the mobile device can associate the tracking device with the location of the mobile device, and can determine that the associated location is a “high-accuracy” location.

If the mobile device subsequently moves more than the threshold distance away from the tracking device and receives a location request, and if the location request includes a timestamp indicating that the tracking device hasn't moved since the mobile device associated the tracking device with the location of the mobile device from within a threshold distance from the tracking device, then the mobile device can maintain the association between previous location and the tracking device as a high-accuracy location. On the other hand, if the location request includes a timestamp indicating that the tracking device has since moved, the mobile device can associate the location of the mobile device with the tracking device, though because the distance between the mobile device and tracking device is greater than the threshold distance, the associated location is maintained as a low-accuracy location. It should be noted that in some embodiments, the location request can include an indication of movement magnitude. In such embodiments, the mobile device can determine that a previous high-accuracy location is still a high-accuracy location if the magnitude of movement is below a movement threshold. Alternatively, if the movement is greater than the movement threshold, the mobile device can determine that the previous high-accuracy location is now a low-accuracy location, or can associate the new location of the mobile device with the tracking device as a low-accuracy location.

In some embodiments, the threshold distance described above is a distance such that the tracking device sends communications to the mobile device, but such that the mobile device cannot send communications to the tracking device (in other words, the tracking device is outside of the range of the mobile device). In some embodiments, the threshold distance is a pre-determined distance such that location information of the mobile device and associated with the tracking distance is above a threshold accuracy (a “high-accuracy” location) when the mobile device is within the threshold distance of the tracking device and is below a threshold accuracy (a “low accuracy” location) when the mobile device is outside the threshold distance from the tracking device. In some embodiments, the location request from the tracking device includes an indication of strength of transmission power. In such embodiments, the indicated strength of transmission power can be used to determine if the mobile device is within the threshold distance of the mobile device.

The tracking device can include one or more movement-detection mechanisms. For example, the tracking device can include a gyroscope, an accelerometer configured to detect movement along one or more axes, an acoustic motion sensor, a vibration sensor, a spring-based motion detector, or any other suitable mechanism. In some embodiments, the type of motion detection implemented within the tracking device can be basic, as the mere detection of motion in any form can be sufficient to trigger a location request. In such embodiments, rudimentary and/or low-power motion detectors can be implemented within the tracking device, beneficially reducing the cost of and/or power used by the tracking device.

FIG. 6 illustrates a process 600 of determining device location in response to movement detection, according to one embodiment. A tracking device 602 detects 610 movement using, for instance, one or more motion-detection devices within the tracking device 602. In response to detecting the movement, the tracking device 602 sends a movement flag 612 or other indication of the movement to a mobile device 604. In response to receiving the movement flag 612, the mobile device powers on 614 a location-detection receiver, such as a GPS receiver, and accesses location information associated with the location of the mobile device 604 (and, due to the proximity of the tracking device 602 to the mobile device 604), the location of the tracking device 602.

The mobile device 604 provides the identity and location 618 of the tracking device 602 to the tracking server 606. The tracking server stores 620 the received location in association with the identity of the tracking device 602, and provides a confirmation 622 of the storage of the received location to the mobile device 604. In response to receiving the storage confirmation 622, the mobile device 604 powers off the location-detection receiver. It should be noted that in embodiments where the mobile device 604 does not receive the confirmation 622 from the tracking server 606, the mobile device 604 can re-send the tracking device identity and location to the tracking server 606. In some embodiments, the mobile device 604 can power off the receiver immediately after providing the tracking device identity and location to the tracking server 606.

The mobile device 604 provides confirmation 626 of the storage of the tracking device location by the tracking server 606 to the tracking device 602. In response to receiving the confirmation 626, the tracking device 602 enters standby mode 628 until subsequent movement is detected. In embodiments where the tracking device 602 does not receive the confirmation 626, the tracking device 602 can re-send the movement flag 612 to the mobile device 604. In some embodiments, the mobile device 604 provides confirmation of providing the tracking device identity and location to the tracking server 606 to the tracking device 602 without waiting to receive the confirmation 622 that the location was stored from the tracking server 606, and in response, the tracking device 602 can enter the standby mode 628. By only powering on the location-detection receiver in response to the detection of movement by the tracking device 602, the mobile device 604 saves power that would otherwise be required to power on the location-detection receiver during periods of time when the tracking device 602 is not moving.

FIG. 7 illustrates a process 700 of selecting between current or previous device location information, according to one embodiment. The tracking device 702 detects 710 movement, for instance using one or more location-detection devices as described above. In response, the tracking device 702 provides movement information 712 to the mobile device 704. The movement information 712 can include, for instance, a magnitude of detected movement.

In response to receiving the movement information 712, the mobile device 704 accesses location information 716, for instance using location-detection mechanisms, as described above. Although not illustrated in FIG. 7, the mobile device 704 can implement the power-saving process of FIG. 6 by powering on the location-detection mechanisms of the mobile device 704 only in response to receiving the movement information 712.

The mobile device 704 provides the identity, location, and movement information 718 of the tracking device 702 to the tracking server 706. The tracking server 706 stores 720 the received location in association with the tracking device 702 as the current location of the tracking device. The tracking server 706 accesses 722 a previous location associated with the tracking device 702 stored by the tracking server 706.

The tracking server 706 then selects one or both of the current location and the previous location of the tracking device 702 for providing to the mobile device 704. In some embodiments, the tracking server 706 can select the location of the tracking device 702 determined to be the most accurate. For instance, if the received movement information indicates that the detected movement of the tracking device 702 is very small and/or that the accuracy of the received current location is low (for instance, as a result of the tracking device 702 being determined to be more than a first threshold distance from the mobile device 704), the tracking server 706 can determine that the previous location is more accurate than the current location, and can select the previous location.

Alternatively, if the accessed previous location was received and stored more than a threshold amount of time ago and/or the accuracy of the received current location is high (for instance, as a result of the tracking device 702 being determined to be less than a second threshold distance from the mobile device 704), the tracking server 706 can determine that the current location is more accurate than the previous location. In some embodiments, the tracking server 706 can determine that the current location and the previous location are equally or within a threshold measurement of accuracy to each other and can select both locations. In some embodiments, when the tracking server 706 determines that the current location is more accurate or reliable than the previous location, the tracking server 706 overrides the previous location with the current location in association with the identity of the tracking device 702.

The tracking server 706 provides the one or more select locations 726 to the mobile device 704. In response, the mobile device 704 presents 728 the one or more selected locations, for instance to a user of the mobile device 704. Alternatively, the mobile device 704 can store the one or more selected locations for subsequent access. The mobile device 704 can then provide confirmation 730 to the tracking device 702 that the current location was received and/or stored by the tracking server 706. In response, the tracking device 702 can enter standby mode 732 until subsequent motion of the tracking device 702 is detected.

End-to-End Encryption in a Tracking Device Environment

In order to facilitate data privacy within the tracking device environment, data protection measures can be implemented by a central tracking system (e.g., tracking system 100, or “tracking server” herein). As described herein, a permanent encryption key pair associated with a tracking device can be used to encrypt the temporary private keys of one or more temporary encryption key pairs associated with the tracking device, and the central tracking system can store the temporary public keys and the encrypted temporary private keys. Community mobile devices that detect the tracking device can encrypt location data using the temporary public keys, and the central tracking system can provide the encrypted location data to an owner of the tracking device for decryption.

Such data protection measures enable location data to be protected at the moment it is gathered (by community mobile devices), as it is provided to and stored by the central tracking system, and as it is provided to an owner of the tracking device. In such an implementation, only an owner of the tracking device (or an individual with whom the tracking device has been shared) is able to decrypt the encrypted temporary private keys, which in turn are used to decrypt the location data. Accordingly, an entity associated with the central tracking system (such as a database manager) is unable to decrypt the location data, beneficially protecting the location data from the moment it is gathered by a community mobile device until it is received by an owner of the tracking device.

As noted above, a tracking device associated with an identifier can use a set hash keys to hash the identifier, and can include the hashed identifier in an advertising packet that is transmitted periodically. These hash keys can be rotated such that, for instance, a new hash key can be used every 15 minutes. The hash keys can be generated in advance, for instance, by a manufacturer of the tracking device, by a tracking server associated with the tracking device, by a device associated with the tracking device (such as a mobile device of an owner of the tracking device), or by the tracking device itself. The hash keys can also be generated on-demand, for instance based on a current time interval within which the tracking device identifier is to be hashed. In some embodiments, the hash keys are generated using a hash key algorithm. In such embodiments, the tracking device (or a device associated with the tracking device) and the central tracking system can each independently generate the same set of hash keys using a hash key algorithm, beneficially enabling the central tracking system to store and associate the set of hash keys with the tracking device without requiring the transmission of the set of hash keys between the tracking device (or the device associated with the tracking device) and the central tracking system.

A permanent encryption key pair (including a permanent public key and a permanent private key) is generated for the tracking device. The permanent encryption key pair can be generated during the manufacture of the tracking device, upon activation of the tracking device, upon registration of the tracking device with a central tracking system, or at any other suitable time. The permanent encryption key pair can be generated by the manufacturer, by an owner device associated with the tracking device, by the central tracking system, or by any other suitable entity. The owner device (such as a mobile device associated with an owner of the tracking device and configured to communicate with the tracking device) can store the permanent public key and the permanent private key. The owner device can provide the permanent public key to the central tracking system for storage in association with an identifier of the tracking device. Although the permanent public key is transmitted to the central tracking system, the permanent public key can be kept confidential, since the permanent public key may otherwise be used to uniquely identify the tracking device.

A set of temporary encryption key pairs are generated for the tracking devices. Each temporary encryption key pair includes a temporary private key and a temporary public key. The temporary encryption key pairs can be generated using any suitable encryption key generation method, for instance the Rivest-Shamir-Adleman (“RSA”) algorithm or an elliptic-curve cryptography (“ECC”) algorithm. The set of temporary encryption key pairs can include one encryption key pair or any number of encryption key pairs. In some embodiments, one encryption key pair is generated for each hash key in the set of hash keys used by the tracking device. The set of temporary encryption key pairs can be generated upon activation of a tracking device, for instance by an owner mobile device used to activate the tracking device. Alternatively, the set of temporary encryption key pairs can be generated periodically or in response to an event (such as a request from an owner of the tracking device, a complete rotation through a previous set of temporary encryption key pairs, and the like).

In some embodiments, the set of temporary encryption key pairs can be generated by an owner mobile device or by another device of the owner, while in other embodiments, the set of temporary encryption key pairs can be generated by the central tracking system, by the tracking device, by a manufacturer of the tracking device, or by any other suitable entity. The temporary private key of each temporary encryption key pair associated with a tracking device can be encrypted (for instance, by an owner mobile device, by the tracking device, by the central tracking system, or by any other entity) using the permanent public key associated with the tracking device. Each encrypted temporary encryption key pair (including the encrypted temporary private key and the associated temporary public key) is then provided to the central tracking system for distribution to mobile devices that subsequently detect the tracking device as described below.

FIG. 8 is an interaction diagram illustrating a process for implementing end-to-end encryption in a tracking device environment, according to one embodiment. The environment 800 of FIG. 8 includes a tracking device 802, a community mobile device 804, a tracking server 806, and an owner mobile device 808. In the embodiment of FIG. 8, the owner mobile device 808 encrypts 810 the temporary private key of each temporary encryption key pair associated with the tracking device 802 using the permanent public key associated with the tracking device 802 (which the owner mobile device 808 can access). As noted above, in some embodiments, the owner mobile device 808 generates the set of temporary encryption key pairs in advance, for instance generating one temporary encryption key pair for each hash key associated with the tracking device 802. The owner mobile device 808 then provides 812 the encrypted temporary key pairs (each including a temporary public key and the corresponding encrypted temporary private key) to the tracking server 806 for storage.

After the tracking server 806 stores the encrypted temporary key pairs, the tracking device 802 generates 814 a hashed identifier (“hash ID”) for inclusion in periodic advertisement beacon transmissions. The hash key used to hash the unique identifier of the tracking device 802 can be selected based on a current time interval during which the hashed identifier is generated. For instance, each 15-minute interval within a year can be associated with a different hash key of a set of hash keys. The community mobile device 804 receives 816 the hashed identifier from the tracking device 802, for instance after moving within a threshold proximity of the tracking device and receiving an advertisement beacon transmission from the tracking device. The community mobile device 804 provides 818 the hashed identifier to the tracking server 806.

The tracking server 806 identifies 820 the tracking device 802 by identifying the hash key used to generate the hashed identifier, and identifying the tracking device associated with the identified hash key. The tracking server 806, upon identifying the tracking device 802, identifies an encrypted temporary encryption key pair. In embodiments in which there is a 1-to-1 relationship between the set of hash keys and encrypted temporary encryption key pairs, the identified encrypted temporary encryption key pair comprises the encrypted temporary encryption key pair associated with the hash key used to generate the hashed identifier. The tracking server 806 then provides 822 the identified encrypted temporary encryption key pair to the community mobile device 804.

The community mobile device 804 determines a location of the community mobile device, for instance by activating a GPS receiver and determining a set of GPS coordinates representative of the location of the community mobile device. Upon receiving the encrypted temporary encryption key pair, the community mobile device 804 encrypts 824 data representative of the determined location of the community mobile device using the temporary public key of the received encrypted temporary encryption key pair. The community mobile device 804 then provides 826 the hashed identifier, the encrypted location, and the encrypted temporary private key to the central tracking system. The central tracking system stores 828 the received hash identifier, the encrypted location data, and the encrypted temporary private key 868, for instance within a “last known location” field associated with the tracking device.

At a later time, the owner mobile device 808 requests 830 a current, most recent, or last known location of the tracking device 802. In response to receiving the request, the tracking server 806 accesses 832 the hashed identifier, the encrypted location data, and the encrypted temporary private key and provides this information to the owner mobile device 808. The owner mobile device decrypts 834 the encrypted temporary private key using the permanent private key (to which the owner mobile device has access), and then decrypts 836 the encrypted location data using the decrypted temporary private key. The decrypted location data can be displayed by the owner mobile device 808, for instance within a map interface.

FIG. 9 illustrates a process for implementing end-to-end encryption in a tracking device environment, according to one embodiment. A permanent encryption key pair and a temporary encryption key pair associated with a tracking device are generated 902. The permanent encryption key pair includes a permanent public key and a permanent private key. Likewise, the temporary encryption key pair includes a temporary public key and a temporary private key. In some embodiments, a set of temporary encryption key pairs are generated, for instance one for each rotatable hash key associated with a tracking device.

The temporary private key of each temporary encryption key pair is encrypted 904 using the permanent public key. Each encrypted temporary encryption key pair (including a temporary public key and a corresponding encrypted temporary private key) is provided 906 to a central tracking system. The central tracking system stores each encrypted temporary encryption key pair in association with an identifier of the associated tracking device. For instance, if the central tracking system receives five sets of encrypted temporary encryption key pairs each associated with a different tracking device of five tracking devices, the central tracking system can store each set of encrypted temporary encryption key pairs in association with an identifier of the tracking device associated with the set of encrypted temporary encryption key pairs.

When a community mobile device (such as a mobile device not otherwise associated with the tracking device) receives a hashed tracking device identifier from the tracking device, the community mobile device provides 908 the received hash tracking device identifier to the central tracking system. The central tracking system then identifies the tracking device associated with the received hashed tracking device identifier (for instance, by hashing each of a set of tracking device identifiers with each of a corresponding set of hash keys). In response to identifying the tracking device associated with the received hashed tracking device identifier, the central tracking system provides and the community mobile device receives 910 an encrypted temporary encryption key pair associated with the identified tracking device.

The community mobile device then determines a location of the community mobile device (for instance, by activating the GPS receiver of the community mobile device), and encrypts 912 location data representative of the determined location using the temporary public key of the received encrypted temporary encryption key pair. The community mobile device then provides 914 the encrypted location data and the encrypted temporary private key of the received encrypted temporary encryption key pair to the central tracking system, which stores the encrypted location data and the encrypted temporary private key in association with an identity of the tracking device. In some embodiments, the community mobile device resends the hashed tracking device identifier with the encrypted location data and the encrypted temporary private key to the central tracking system, and the central tracking system determines the identity of the tracking device using the hashed tracking device identifier as described above.

When a user requests a location of the tracking device from the central tracking system, a user device with access to the permanent private key receives 916 the encrypted location data and the encrypted temporary private key from the central tracking system. The user device decrypts 918 the encrypted temporary private key using the permanent private key, and then decrypts 920 the encrypted location data using the decrypted temporary private key. The user device can then perform an action based on the decrypted location data, such as displaying the decrypted location data, for instance within a map interface or an operating system notification.

In some embodiments, instead of generating temporary encryption key pairs (as described above), a temporary private key can be used to generate a set of one or more diversified temporary public keys. Data encrypted using any of the set of diversified temporary public keys can be decrypted using the temporary private key. Any suitable key diversification operation can be used to generate the set of diversified temporary public keys. For instance, the set of diversified temporary public keys can be generated using Elgamal encryption, Elliptic Curve Integrated Encryption Scheme (ECIES) encryption, Networking and Cryptography library (NaCl) encryption, or any other suitable key diversification algorithm. In some embodiments, the set of diversified temporary public keys are generated based on the temporary private key, and can be generated using on one or more additional secrets (such as a set of elliptical curves, a secret value unique to the tracking device or an account of an owner of the tracking device, one or more passwords or passcodes, or any other suitable information).

FIG. 10 is an interaction diagram illustrating a process for implementing end-to-end encryption in a tracking device environment using key diversification, according to one embodiment. In the embodiment of FIG. 10, an owner mobile device 1008 generates 1010 a diversified public key associated with a private key and provides 1012 the diversified public key to a tracking server 1006. In other embodiments, a set of diversified public keys are generated and provided to the tracking server 1006, and may be generated by an entity other than the owner mobile device 1008 (for instance, by the tracking server 1006 itself, by a key server, by a manufacturer of the tracking device 1002, or by any other suitable entity). In some embodiments, the diversified public keys are provided to a key server (not shown in the embodiment of FIG. 10) instead of the tracking server 1006. The key server can be associated with a different entity or company than the tracking server 1006, for instance a mobile phone service operator, a mobile device manufacturer, and the like. It should be noted that although the diversified public key is provided to the tracking server 1006 in advance of a request from the community mobile device 1004, in practice, the diversified public key can be generated on-demand, for instance in response to the request from the community mobile device 1004 to encrypt location data. In such embodiment, when the community mobile device 1004 detects the tracking device 1002 (e.g., receives a communication from the tracking device, such as a hashed identifier), the community mobile device can inform the tracking server 1006 of the need for a diversified public key, and the tracking server can, in response request and receive the diversified public key from the owner mobile device 1008 or another entity configured to generate the diversified public key in response to the request from the tracking server.

As described above, the tracking server 1006 (or a key server) can associate each diversified public key in the set of diversified public keys with a different hash key of a set of hash keys associated with the tracking device 1002. In other embodiments, the set of diversified public keys are unique to the tracking device 1002, and can be used to identify the tracking device (or can be used by the tracking device to generate a hashed identified) in place of the set of hash keys. In such embodiments, a community mobile device can receive the diversified public key directly from the tracking device 1002, or can forward the hashed identifier hashed using the diversified public key to the tracking server 1006 or a key server, and can receive the diversified public key from the tracking server or key server, respectively, in response.

The tracking device 1002 generates 1014 a hashed identifier (“hash ID”) for inclusion in periodic advertisement beacon transmissions. The hash key used to hash the unique identifier of the tracking device 1002 can be selected based on a current time interval during which the hashed identifier is generated. For instance, each 15-minute interval within a year can be associated with a different hash key of a set of hash keys. The community mobile device 1004 receives 1016 the hashed identifier from the tracking device 1002, for instance after moving within a threshold proximity of the tracking device and receiving an advertisement beacon transmission from the tracking device. The community mobile device 1004 provides 1018 the hashed identifier to the tracking server 1006.

As described above, the tracking server 1006 identifies 1020 the tracking device 1002 by identifying the hash key used to generate the hashed identifier, and identifying the tracking device associated with the identified hash key. The tracking server 1006, upon identifying the tracking device 1002, identifies a diversified public key from the set of diversified public keys. In embodiments in which there is a 1-to-1 relationship between the set of hash keys and the set of diversified public keys, the identified diversified public key comprises the diversified public key associated with the hash key used to generate the hashed identifier. The tracking server 1006 then provides 1022 the identified diversified public key to the community mobile device 1004.

The community mobile device 1004 determines a location of the community mobile device, for instance by activating a GPS receiver and determining a set of GPS coordinates representative of the location of the community mobile device. Upon receiving the diversified public key, the community mobile device 1004 encrypts 1024 data representative of the determined location of the community mobile device using the diversified public key. The community mobile device 1004 then provides 1026 the hashed identifier and the encrypted location to the central tracking system 1006. The central tracking system 1006 stores 1028 the received hash identifier and the encrypted location data, for instance within a “last known location” field associated with the tracking device.

At a later time, the owner mobile device 1008 requests 1030 a current, most recent, previous, or last known location of the tracking device 1002. In response to receiving the request, the tracking server 1006 provides 1032 the hashed identifier and the encrypted location data to the owner mobile device 1008. The owner mobile device decrypts 1034 the location data using the private key associated with the set of diversified public keys. The decrypted location data can be displayed by the owner mobile device 1008, for instance within a map interface.

Although not illustrated in the embodiment of FIG. 10, it should be noted that similarly to the embodiment of FIG. 8, the private key can be encrypted using a permanent public key associated with the owner mobile device 1008, an account associated with the owner mobile device, the tracking device 1002, and the like. The encrypted private key can be provided to the tracking server 1006 for storage, and the tracking server 1006 can provide the encrypted private key to the owner mobile device 1008 with the hashed identifier and the encrypted location data. The owner mobile device 1008 can then decrypt the encrypted private key using a permanent private key corresponding to the permanent public key, and the decrypt the location data using the decrypted private key. It should also be noted that in some embodiments, the tracking device can protect the tracking device identifier using a data protection operation other than hashing, for instance by performing an encryption operation, a tokenization operation, or the like.

FIG. 11 illustrates a process for implementing end-to-end encryption in a tracking device environment using key diversification, according to one embodiment. A set of diversified public encryption keys associated with a private encryption key is generated 1102, for instance using Elgamal encryption, ECIES encryption, NaCl encryption, or any other suitable key diversification operation. The set of diversified public encryption keys is provided 1104 to a central tracking system. As noted above, the set of diversified public encryption keys may instead be provided to a key server.

A community mobile device provides 1106 a received hashed tracking device identifier to the central tracking system (or to a key server, in the event that the key server is storing the set of diversified public encryption keys). The community mobile device receives 1108 a diversified public encryption key from the central tracking system (or key server). The received diversified public encryption key can be selected based on the hashed identifier, the hash key used to generate the hashed identifier, a current time, or randomly. The community mobile device accesses location data representative of a location of the community mobile device and encrypts 1110 the location data using the diversified public encryption key. The encrypted location data is then provided 1112 to the central tracking system for storage.

At a later time, an owner of the tracking device can request and receive 1114 the encrypted location data from the central tracking system via an owner device. The owner device can decrypt 1116 the encrypted location data using the private encryption key corresponding to the set of diversified public encryption keys, and can display the location data to a user, for instance within a map interface. In some embodiments, the private encryption key can decrypt the encrypted location data despite which of the set of diversified public encryption keys is used to encrypt the location data.

Additional Considerations

The foregoing description of the embodiments of the invention has been presented for the purpose of illustration; it is not intended to be exhaustive or to limit the invention to the precise forms disclosed. Persons skilled in the relevant art can appreciate that many modifications and variations are possible in light of the above disclosure.

Any of the devices or systems described herein can be implemented by one or more computing devices. A computing device can include a processor, a memory, a storage device, an I/O interface, and a communication interface, which may be communicatively coupled by way of communication infrastructure. Additional or alternative components may be used in other embodiments. In particular embodiments, a processor includes hardware for executing computer program instructions by retrieving the instructions from an internal register, an internal cache, or other memory or storage device, and decoding and executing them. The memory can be used for storing data or instructions for execution by the processor. The memory can be any suitable storage mechanism, such as RAM, ROM, flash memory, solid state memory, and the like. The storage device can store data or computer instructions, and can include a hard disk drive, flash memory, an optical disc, or any other suitable storage device. The I/O interface allows a user to interact with the computing device, and can include a mouse, keypad, keyboard, touch screen interface, and the like. The communication interface can include hardware, software, or a combination of both, and can provide one or more interfaces for communication with other devices or entities.

Some portions of this description describe the embodiments of the invention in terms of algorithms and symbolic representations of operations on information. These algorithmic descriptions and representations are commonly used by those skilled in the data processing arts to convey the substance of their work effectively to others skilled in the art. These operations, while described functionally, computationally, or logically, are understood to be implemented by computer programs or equivalent electrical circuits, microcode, or the like. Furthermore, it has also proven convenient at times, to refer to these arrangements of operations as modules, without loss of generality. The described operations and their associated modules may be embodied in software, firmware, hardware, or any combinations thereof.

Any of the steps, operations, or processes described herein may be performed or implemented with one or more hardware or software modules, alone or in combination with other devices. In one embodiment, a software module is implemented with a computer program product comprising a computer-readable medium containing computer program code, which can be executed by a computer processor for performing any or all of the steps, operations, or processes described.

Embodiments of the invention may also relate to an apparatus for performing the operations herein. This apparatus may be specially constructed for the required purposes, and/or it may comprise a general-purpose computing device selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a non-transitory, tangible computer readable storage medium, or any type of media suitable for storing electronic instructions, which may be coupled to a computer system bus. Furthermore, any computing systems referred to in the specification may include a single processor or may be architectures employing multiple processor designs for increased computing capability.

Embodiments of the invention may also relate to a product that is produced by a computing process described herein. Such a product may comprise information resulting from a computing process, where the information is stored on a non-transitory, tangible computer readable storage medium and may include any embodiment of a computer program product or other data combination described herein.

Finally, the language used in the specification has been principally selected for readability and instructional purposes, and it may not have been selected to delineate or circumscribe the inventive subject matter. It is therefore intended that the scope of the invention be limited not by this detailed description, but rather by any claims that issue on an application based hereon. Accordingly, the disclosure of the embodiments of the invention is intended to be illustrative, but not limiting, of the scope of the invention, which is set forth in the following claims. 

What is claimed is:
 1. A method comprising: generating, for a tracking device, a permanent encryption key pair comprising a permanent public key and a permanent private key, the tracking device associated with a set of hash keys and a unique identifier; generating a temporary private key and a corresponding set of diversified temporary public keys; encrypting the temporary private key using the permanent public key; providing the encrypted temporary private key and the set of diversified temporary public keys to a central tracking system, the central tracking system configured to associate each diversified temporary public key of the set of diversified temporary public keys with a different hash key of the set of hash keys; receiving, by a community mobile device and from the tracking device, a hashed identifier, the hashed identifier comprising the unique identifier hashed using a hash key of the set of hash keys; providing, by the community mobile device, the hashed identifier to the central tracking system, the central tracking system configured to identify the hash key used to create the hashed identifier, to identify a diversified temporary public key associated with the identified hash key, and to provide the identified diversified temporary public key to the community mobile device; encrypting, by the community mobile device, location data representative of a location of the community mobile device using the provided diversified temporary public key; providing, by the community mobile device, the hashed identifier and the encrypted location data to the central tracking system for storage; in response to requesting a location of the tracking device, receiving, by an owner mobile device, the encrypted temporary private key and the encrypted location data from the central tracking system; decrypting, by the owner mobile device, the received encrypted temporary private key using the permanent private key; decrypting, by the owner mobile device, the encrypted location data using the decrypted temporary private key; and displaying, by the owner mobile device, the decrypted location data.
 2. The method of claim 1, wherein the set of diversified temporary public keys are generated using an Elgamal encryption operation.
 3. The method of claim 1, wherein the set of diversified temporary public keys are generated using an ECIES encryption operation.
 4. The method of claim 1, wherein the set of diversified temporary public keys are generated using a NaCl encryption operation.
 5. The method of claim 1, wherein the set of diversified temporary public keys are generated using a set of elliptical curves.
 6. The method of claim 1, wherein temporary private key can decrypt the location data encrypted with any of the set of diversified temporary public keys.
 7. The method of claim 1, wherein the permanent encryption key pair is generated by one of the owner mobile device and the central tracking system.
 8. The method of claim 1, wherein the permanent encryption key pair is generated in response to activating the tracking device.
 9. The method of claim 1, wherein the tracking device is configured to include the hashed identifier in an advertising packet transmitted by the tracking device.
 10. The method of claim 1, wherein the hash key used to hash the unique identifier is selected based on a time during which the unique identifier is hashed.
 11. The method of claim 1, wherein the hash keys used by the tracking device to hash the unique identifier are rotated at a regular interval.
 12. The method of claim 1, wherein the community mobile device, in response to receiving the hashed identifier from the tracking device, is configured to activate a GPS receiver of the community mobile device and to determine a location of the community mobile device using the GPS receiver, the determined location comprising the location data.
 13. The method of claim 1, wherein the central tracking system does not have access to the permanent private key.
 14. The method of claim 1, wherein the central tracking system does not have access to the decrypted temporary private key.
 15. The method of claim 1, wherein the central tracking system is unable to decrypt the encrypted location data.
 16. The method of claim 1, wherein requesting the location of the tracking device comprises requesting a last known location of the tracking device from the central tracking system.
 17. The method of claim 1, wherein displaying the decrypted location data comprises displaying the location of the tracking device within a map interface.
 18. The method of claim 1, wherein displaying the decrypted location data comprises displaying a notification via an operating system of the owner mobile device.
 19. A method comprising: storing, by a key server, a set of diversified public encryption keys corresponding to a private encryption key associated with a tracking device; receiving, by a community mobile device and from the tracking device, a hashed identifier, the hashed identifier comprising a unique identifier associated with the tracking device hashed using a hash key; providing, by the community mobile device, the hashed identifier to the key server, the key server configured to identify the hash key used to create the hashed identifier, to identify a diversified public encryption key of the stored set of diversified public encryption keys based on the identified hash key, and to provide the identified diversified public encryption key to the community mobile device; encrypting, by the community mobile device, location data representative of a location of the community mobile device using the provided diversified public encryption key; providing, by the community mobile device, the hashed identifier and the encrypted location data to a central tracking system; in response to requesting a location of the tracking device, receiving, by an owner mobile device, the encrypted location data from the central tracking system; decrypting, by the owner mobile device, the encrypted location data using the private encryption key; and displaying, by the owner mobile device, the decrypted location data.
 20. The method of claim 19, wherein private encryption key can decrypt the location data encrypted with any of the set of diversified public encryption keys. 